With 9TB of data, survey is one of the most exhaustive—and illicit—ever done.

In one of the more audacious and ethically questionable research projects in recent memory, an anonymous hacker built a botnet of more than 420,000 Internet-connected devices and used it to perform one of the most comprehensive surveys ever to measure the insecurity of the global network.

In all, the nine-month scanning project found 420 million IPv4 addresses that responded to probes and 36 million more addresses that had one or more ports open. A large percentage of the unsecured devices bore the hallmarks of broadband modems, network routers, and other devices with embedded operating systems that typically aren't intended to be exposed to the outside world. The researcher found a total of 1.3 billion addresses in use, including 141 million that were behind a firewall and 729 million that returned reverse domain name system records. There were no signs of life from the remaining 2.3 billion IPv4 addresses.

Continually scanning almost 4 billion addresses for nine months is a big job. In true guerilla research fashion, the unknown hacker developed a small scanning program that scoured the Internet for devices that could be logged into using no account credentials at all or the usernames and passwords of either "root" or "admin." When the program encountered unsecured devices, it installed itself on them and used them to conduct additional scans. The viral growth of the botnet allowed it to infect about 100,000 devices within a day of the program's release. The critical mass allowed the hacker to scan the Internet quickly and cheaply. With about 4,000 clients, it could scan one port on all 3.6 billion addresses in a single day. Because the project ran 1,000 unique probes on 742 separate ports, and possibly because the binary was uninstalled each time an infected device was restarted, the hacker commandeered a total of 420,000 devices to perform the survey.

More than nine terabytes of data

"A lot of devices and services we have seen during our research should never be connected to the public Internet at all," the guerilla researcher concluded in a 5,000-word report titled Internet Census 2012: Port scanning /0 using insecure embedded devices. "As a rule of thumb, if you believe that 'nobody would connect to the Internet, really nobody,' there are at least 1,000 people who did. Whenever you think 'that shouldn't be on the Internet but will probably be found a few times' it's there a few hundred thousand times. Like half a million printers, or a million Webcams, or devices that have root as a root password."

In all, the botnet, which the researcher named "Carna" after the Roman goddess of physical health, collected more than 9TB worth of data. It performed 52 billion ICMP ping probes, 180 billion service probe records, and 2.8 billion SYN scan records for 660 million IPs with 71 billion ports tested. The researcher said he took precautions to prevent his program from disrupting the normal operation of the infected devices.

"Our binaries were running with the lowest possible priority and included a watchdog that would stop the executable in case anything went wrong," he wrote. "Our scanner was limited to 128 simultaneous connections and had a connection timeout of 12 seconds."

He continued: "We used the devices as a tool to work at the Internet scale. We did this in the least invasive way possible and with the maximum respect to the privacy of the regular device users."

The researcher found that his scanning program wasn't the only unauthorized code hitching a free ride on some of the commandeered devices. Competing botnet programs such as one known as Aidra infected as many as 30,000 embedded devices including the Linux-powered Dreambox TV receiver and other devices that run on a MIPS hardware. The scanning software detected capabilities in Aidra that forced compromised devices to carry out a variety of denial-of-service attacks on targets selected by the malicious botnet operators.

"Apparently its author only built it for a few platforms, so a majority of our target devices could not be infected with Aidra," the researcher reported. "Since Aidra was clearly made for malicious actions and we could actually see their Internet scale deployment at that moment, we decided to let our bot stop telnet after deployment and applied the same iptable rules Aidra does, if iptables was available. This step was required to block Aidra from exploiting these machines for malicious activity."

The changes didn't survive reboots, however, allowing Aidra to resume control of the embedded devices once they were restarted. The scanning program was programmed to install itself on uninfected devices, so it's possible it may have repeatedly disrupted the malicious bot software only to be foiled each time a device was rebooted.

Enlarge/ Carna Botnet's 420,000-client distribution, March to December 2012.

Breaking the law

The research project almost certainly violated federal statutes prohibiting the unauthorized access of protected computers and possibly other hacking offenses. And since the unknown researcher is willing to take ethical and legal liberties in his work, it's impossible to verify that he carried out the project in the manner described in the paper. Still, the findings closely resemble those of HD Moore, the CSO of security firm Rapid7 and chief architect of the Metasploit software framework used by hackers and penetration testers. Over a 12-month period last year, he used ethical and legal means to probe up to 18 ports of every IPv4 Internet address three or four times each day. The conclusion: there are about 1.3 billion addresses that respond to various scans, with about 500 million to 600 million of them coming from embedded devices that were never intended to be reachable on the Internet.

Over three months in mid-2012, the researcher sent an astounding 4 trillion service probes, 175 billion of which were sent back and saved. In mid-December the researcher probed the top 30 ports, providing about 5 billion additional saved service probes. A detailed list of the probes sent to specific ports is here.

"This looks pretty accurate," Moore said of the guerilla report, which included a wealth of raw data to document the findings. "Embedded devices really are one of the most common devices on the Internet, and the security of these devices is terrible. I ran into a number of active botnets using those devices to propagate."

The only way to ultimately confirm the veracity of the findings is to go through the data in precise detail, which is something fellow researchers have yet to do publicly.

Moore said there were advantages and disadvantages to each of the studies. While use of an illicit botnet may have provided greater visibility into the overall Internet population, it amounted to a much briefer snapshot in time. Moore's approach, by contrast, was more limited since it probed just 18 ports. But because it surveyed devices every day for a year, its results are less likely to reflect anomalies resulting from seasonal differences in Internet usage.

Putting aside the ethical and legal concerns of taking unauthorized control of hundreds of millions of devices, the researcher builds a compelling case for taking on the project.

"We would also like to mention that building and running a gigantic botnet and then watching it as it scans nothing less than the whole Internet at rates of billions of IPs per hour over and over again is really as much fun as it sounds like," he wrote. What's more, with the advent of IPv6, the opportunity may never come again, since the next-generation routing system offers orders of magnitude more addresses that are impossible to be scanned en masse.

The researcher concluded by explaining the ultimate reason he took on the project.

"I did not want to ask myself for the rest of my life how much fun it could have been or if the infrastructure I imagined in my head would have worked as expected," he explained. "I saw the chance to really work on an Internet scale, command hundred thousands of devices with a click of my mouse, portscan and map the whole Internet in a way nobody had done before, basically have fun with computers and the Internet in a way very few people ever will. I decided it would be worth my time."

Promoted Comments

I see significant value in such research, if it could be authorized and conducted at scale. What this guy (and Moore) did reveals a great deal about the general health and security of the public Internet, at all levels. ISPs and other network owners and operators, private or otherwise, might even pay for the information - but probably shouldn't have to.

Think about the government-sponsored "Sam Knows" broadband study as an example, and then add the benefits of detecting major security issues, including the installation of actual malware, such as Aidra. It goes way beyond "what ports are open that probably shouldn't be?" Major benefits there! Ownership and/or governance are quite beyond me, but I like the idea.

I see significant value in such research, if it could be authorized and conducted at scale. What this guy (and Moore) did reveals a great deal about the general health and security of the public Internet, at all levels. ISPs and other network owners and operators, private or otherwise, might even pay for the information - but probably shouldn't have to.

There is the start of an authorized project of that nature at http://www.netdimes.org/new/ a distributed computing project that is working on mapping the internet and checks at least the ping response of all IPs. With additional help and funding I'm sure it could be expanded to include additional checks and information.

Arstechnica has a team that is contributing to the project. viewtopic.php?f=18&t=35620 if you want to join in and need any help, just ask us and we'll be nice, I promise!

I for one am not upset at this. It's interesting information and once again gives some publicity to all the security vulnerabilities out there on the internet. And this researchers intentions don't seem to be very evil (although who really knows!?).

And yes, right now is probably the only time a botnet could brute force scan all the addresses and ports out there on the internet, until IPv6 grants us too many possibilities.

I've always tried to be conscientious about securing my networks and devices but this article makes me feel like I still haven't done enough. Beyond using better passwords what can be done to further secure consumer level networks? Any recommendations on how to go about testing the vulnerability of my stuff?

Appropos of nothing, but whenever I see these kinds of something-activity maps it's always fascinating to note how utterly dark and empty North Korea is, surrounded by its much more active neighbors. It also shows up Earth at Night images.

It's not the port scans that are unauthorized, it's installing software on devices remotely without consent of the owners.

is there any proof that he used illegal botnet?

I'm sure he or she just so happened to own four hundred and twenty thousand devices scattered around the world. This person is not even pretending in the slightest they did not hack thousands of machines.

Personally I hope they successfully remain anonymous because this is beautiful, beautiful research, but if they get caught there's not really any arguing out of having hacked at a massive scale.

It's not the port scans that are unauthorized, it's installing software on devices remotely without consent of the owners.

is there any proof that he used illegal botnet?

The creation of his botnet is precisely the illegal part. He wrote a program that would scan and find computers that it could install itself onto, without any interaction whatsoever from the owners of those computers. That's the illegal part (at least in the US as mentioned by the article, and likely in most countries that the affected machines reside).

I've always tried to be conscientious about securing my networks and devices but this article makes me feel like I still haven't done enough. Beyond using better passwords what can be done to further secure consumer level networks? Any recommendations on how to go about testing the vulnerability of my stuff?

I'd start with GRC's Shields Up test. It'll check for any open ports, and he's added some UPnP tests too recently.

I see significant value in such research, if it could be authorized and conducted at scale. What this guy (and Moore) did reveals a great deal about the general health and security of the public Internet, at all levels. ISPs and other network owners and operators, private or otherwise, might even pay for the information - but probably shouldn't have to.

Think about the government-sponsored "Sam Knows" broadband study as an example, and then add the benefits of detecting major security issues, including the installation of actual malware, such as Aidra. It goes way beyond "what ports are open that probably shouldn't be?" Major benefits there! Ownership and/or governance are quite beyond me, but I like the idea.

And the jurisdiction of each and every machine, because extradition treaties

Not that any country is seriously gonna try to extradite someone over borrowing a few routers for some scans, they have better things to worry about. As long as the actual router malware distributors walk free, I doubt any serious effort will be put into catching this person unless they make it really easy.

I've always tried to be conscientious about securing my networks and devices but this article makes me feel like I still haven't done enough. Beyond using better passwords what can be done to further secure consumer level networks? Any recommendations on how to go about testing the vulnerability of my stuff?

Be interesting if he would release the scanning software and let users willingly contribute, like the FOLD project.

Uhh yeah because no one one would use software like this in a malicious way...

I'm fine with everything in this article except one part. I take issue with the whole "I installed a botnet that detected malicious software so I tried to block it, sort of." I would have rather, if the guys intentions were to protect the people he was "using" that he simply report users that were part of DDoS attacks to their ISPs so that they could be informed they were compromised.

I work for an ISP and you'd be pretty surprised how many times I see people bridging modems or routers and having their printer, smart TV and every computer publicly visible.

I see significant value in such research, if it could be authorized and conducted at scale. What this guy (and Moore) did reveals a great deal about the general health and security of the public Internet, at all levels. ISPs and other network owners and operators, private or otherwise, might even pay for the information - but probably shouldn't have to.

There is the start of an authorized project of that nature at http://www.netdimes.org/new/ a distributed computing project that is working on mapping the internet and checks at least the ping response of all IPs. With additional help and funding I'm sure it could be expanded to include additional checks and information.

Arstechnica has a team that is contributing to the project. viewtopic.php?f=18&t=35620 if you want to join in and need any help, just ask us and we'll be nice, I promise!

While I can see "privacy" being a concern, I also see serious value in this research. It might take something like this to really get our government to truly secure our internet infrastructure.

That said, I'm curious if the printers, etc. that were found to be insecure were behind a standard router firewall or literally connected directly to the modem providing internet.

I think it's fair to say most of us have network printers and those printers share the same router as our PCs and iPads. If these are vulnerable, even if the rest of the network is otherwise secure, it's probably worth the time and money to put them behind another network layer.

I get a steady scan volume of ~200 attempts per day per machine with an SSH port exposed to the world. I don't have password authentication enabled on my SSH servers, so scans don't especially worry me, but they are constant and ongoing. In a cursory log check, it looks like yesterday was an outlier, with about 2500 attempts, all dropped during "preauth", which I assume is where the server tells the client that passwords aren't accepted.

I stay fairly current on this stuff, and feel bad when I let my machines go more than a couple of weeks without a patch check. I'm slightly astonished at how bad the public Internet is.

Remember those old SF stories, the ones where advanced AIs were immediately able to infect networks all over the planet, keeping themselves alive forever? I used to scoff at those. I thought that the security problems were temporary, and that we'd have things long since locked down by now.

Another plus for IPv6, obscurity through magnitude. What I found the most fascinating was how the researcher killed botnets when infecting the machines. We need an internet batman who creates an anti-virus that goes around uninstalling other botnets. A massive battle it would be.

Another plus for IPv6, obscurity through magnitude. What I found the most fascinating was how the researcher killed botnets when infecting the machines. We need an internet batman who creates an anti-virus that goes around uninstalling other botnets. A massive battle it would be.

Japan actually played around with this idea - a government-sponsored un-worm.Unfortunately the simple fact of the matter is that there are so, so many ways for it to go wrong without resorting to science fiction hypotheticals. A "batman" has the advantage of having already decided to work outside the law, and do things the naughty but effective way...., until malware authors commandeer it, or it inadvertently crashes a hospital network, or it turns up on one government's machines and they wig out and accuse an enemy government of hacking them....

On the one hand, I understand the ethical problem about violation of privacy. On the other hand, if you can get over that, this is actually a really good opportunity to understand some of the security issues that exist on the internet today. I work for an online service provider and one of the big questions I keep getting asked during my career is, "How does my account get hacked?" There are some generic answers, but than there are some more technical answers that if clarified and made public knowledge, may really help the average consumer to protect themselves from online theft.

The research project almost certainly violated federal statutes prohibiting the unauthorized access of protected computers and possibly other hacking offenses. And since the unknown researcher is willing to take ethical and legal liberties in his work, it's impossible to verify that he carried out the project in the manner described in the paper.

It is unfortunate that we have existed this long and our interpretation of breaking the law is based upon the simple principle of: did you do something yes/no? rather than being based upon the principle of intention of malice.This has resulted in large companies and financial institutions to get away with the malicious but legal appropriation of the life savings of hard working people, while the non-malicious scanning of ip addresses on the internet will get you jail time.